From Disclosure to National Crisis: What the CBSE OSM Fiasco Reveals About India's API Security Blind Spot

A Crisis That Was Predicted in Public

Three months ago, a Class 12 student named Nisarga Adhikary privately reported a serious vulnerability he had discovered in the CBSE On-Screen Marking (OSM) portal. With the issues still largely unaddressed, he published his findings publicly — outlining how the portal could be compromised end-to-end using nothing more than a browser, a JavaScript file, and DevTools. He cautioned that the integrity of board exam evaluations for millions of students could be at risk.

This week, the prediction came true. In a span of seventy-two hours:

Students reported being charged anywhere from ₹1 to over ₹69,000 for a single revaluation request as the CBSE portal's payment gateway malfunctioned
One Class 12 student shared screenshots showing that the "Physics answer sheet" linked to his roll number contained handwriting and responses that were not his
Another student reported a similar mismatch in his Chemistry answer sheet
CBSE acknowledged the discrepancies, issued an apology, and stated revised marks would be issued
The Union Education Minister tasked IIT Madras to conduct an emergency platform audit

Step back from the noise and look at the architecture behind these failures. Every symptom dominating the headlines had already been described, in technical detail, months earlier. The question is no longer whether the vulnerabilities were real — it's what they reveal about how India is designing and operating critical citizen-facing APIs.

Two Stories, One Architecture

Story A — The Technical Vulnerabilities (Feb 2026)

ATTACK KILL CHAIN · CBSE OSM PORTAL

Hardcoded Master Password in Public JS Bundle

A master password embedded in the public Angular bundle auto-filled the OTP field and bypassed authentication entirely. Only a public user ID and school code required.

A02 Cryptographic Failures · API2 Broken Auth

OTP Validation Performed Client-Side

The server returned the OTP in the auth response. The browser simply checked its own work — meaning the OTP was trivially readable from the network response.

A04 Insecure Design · API8 Security Misconfiguration

No Route Guards — Full UI Accessible Unauthenticated

Setting a few values in localStorage/sessionStorage allowed direct navigation to /dashboard, /evalscriptsview, /evaluatordetails and other internal routes.

API1 BOLA · API5 BFLA · A01 Broken Access Control

Password Reset With No Old-Password Verification

The ChangePassword API accepted only ValuatorID and pin_NewPassword. The "old password" collected by the UI was never sent to the server — meaning anyone could reset any examiner's password.

API2 Broken Auth · API5 BFLA

Systemic IDOR — ValuatorID Trusted From Client Storage

Every request trusted the ValuatorID or user_id stored in sessionStorage. Edit the value in the browser → become any examiner. Full access to evaluation scripts and marks.

API1 BOLA · API3 Broken Object Property · A01 Broken Access Control

Story B — The Public Fiasco (May 21–26, 2026)

Payment gateway chaos: students charged ₹1 to ₹69,000+ for the same revaluation request
Mismatched answer sheets: Physics and Chemistry scripts with different handwriting mapped to wrong student IDs — confirmed by CBSE
Portal instability: crashes, frozen pages, and "service unavailable" errors throughout the revaluation window
Ministerial escalation: IIT Madras directed to audit authentication, payment gateway, and infrastructure

THE CONNECTING THREAD

These appear to be two separate crises — a security disclosure and an operational meltdown. They aren't. Both stem from the same architectural failure: trusting the client. The OSM platform treats client-controlled values as authoritative identity. When the client becomes the source of truth, the system cannot distinguish a legitimate operation from an attack — or a correctly bound answer sheet from a mismatched one.

Full OWASP Mapping

The Disclosed Vulnerabilities

#	Finding	OWASP Web 2021	OWASP API 2023	Severity
1	Hardcoded master password in JS bundle	A02, A04, A07	API2 Broken Auth	CRITICAL
2	OTP validated client-side; server returns the secret	A04, A07	API2, API8	CRITICAL
3	No route guards; full UI accessible unauthenticated	A01, A04	API1 BOLA, API5 BFLA	HIGH
4	ChangePassword never verifies old password	A07, A04	API2, API5	CRITICAL
5	Systemic IDOR — ValuatorID trusted from client storage	A01	API1 BOLA, API3	CRITICAL

The Operational Fiasco

Public Symptom	Root Cause OWASP Mapping
Payment charges ₹1–₹69,000 for the same item	A04 Insecure Design + A08 Data Integrity Failures + API3 (client-controlled payment property tampering) + API10 Unsafe Consumption of APIs
Wrong answer sheets bound to wrong students	API1 BOLA + A01 Broken Access Control + A04 Insecure Design (no integrity-validated server-side enforcement)
Portal crashes during revaluation peak	API4 Unrestricted Resource Consumption + A05 Security Misconfiguration
Discrepancies discovered by students, not the system	A09 Security Logging & Monitoring Failures — no internal mechanism to detect misbound records

WHY THIS IS UNCOMFORTABLE

A01 Broken Access Control has been the #1 web risk since 2021. API1 BOLA has been the #1 API risk since 2019. The CBSE OSM portal is not failing because of exotic zero-day attacks. It is failing on the exact items that sit at the top of every threat list a CISO or product security team would consult. A platform serving 1.8 million students shipped without protections against the most well-known classes of API risk in the industry.

Why Traditional Defences Would Not Have Helped

If you put a typical WAF or API gateway in front of the OSM portal, would either have prevented what we witnessed? Walk through it:

# What the CBSE attack looks like on the wire
POST /api/ChangePassword
Authorization: Bearer <valid-looking session token>
Content-Type: application/json

{"ValuatorID":"EXAMINER_42","pin_NewPassword":"NewPass123!"}

# WAF assessment:
→ No SQLi pattern detected
→ No XSS payload present
→ No command injection found
→ Schema: valid JSON
→ DECISION: ALLOW

# Reality:
→ No old_password field sent — server accepts anyway
→ ValuatorID belongs to a different examiner
→ Password reset completes — full account takeover
→ WAF saw nothing suspicious. Zero alerts fired.

The OSM attacks succeed because the server-side runtime never has ground truth about who the caller actually is. No amount of perimeter inspection fixes that. You need visibility inside the application runtime — where the syscall, the process, the real session identity, and the API operation all meet.

How ziriz.ai Would Have Changed the Outcome

ziriz.ai operates inside the host kernel — observing every API call as it leaves or enters the application process, with full server-side context attached. Here's how each crisis layer would have been handled differently:

// ziriz.ai CAPABILITY ↔ CBSE OSM CRISIS MATRIX

Runtime API discoveryShadow ChangePassword payload mismatch — oldpassword silently droppedAPI9

Behavioral baselining of identity claimsSystemic IDOR — ValuatorID read from client sessionStorageAPI1, API3, API5

Auth-outcome telemetryMaster-password bypass path; OTP returned in login responseAPI2, A07, A02

Object-binding integrityMisbound Physics/Chemistry answer sheets — wrong student ID mappingAPI1, API3, A01

Sensitive-data egress detectionOTP returned in API login response bodyAPI3, A02

Frontend artifact / secret scanningHardcoded master password in public Angular JS bundleA02, API8

Payment-flow property baseliningPayment amounts ranging ₹1–₹69,000 for same revaluation requestAPI3, API10, A08

Inline syscall-level enforcementReal-time block of password-reset kill chain before DB commitA01, API1, API2

THE ANSWER SHEET MISMATCH — THE DETAIL THAT MATTERS MOST

The misbinding of answer sheets to candidate IDs is, structurally, the same class of failure as IDOR. In a ziriz-protected pipeline: the first request that fetched a script with a candidate-ID mismatch would have raised an immediate object-binding integrity alert. Operators would have known before students did. That difference is the difference between a quietly-fixed bug and a national-news incident requiring ministerial intervention.

Five Lessons for India's Public-Sector and Enterprise APIs

The disclosure-to-incident pipeline must have an SLA

The report was submitted on February 25, 2026. The issues remained largely unresolved through the revaluation window in May — a 90-day gap during which the system operated on hope rather than assurance. Critical digital infrastructure serving millions of citizens cannot have a 90-day patch window.

Compliance ≠ Security

The OSM portal presumably cleared whatever procurement and audit checklists preceded deployment. Checklists rarely test for IDOR. Pen-tests do, but they're point-in-time. The only durable answer is continuous runtime visibility that holds under real load, in production, against real users.

The client is not a trust boundary

Every single finding traces to one root cause: security decisions placed in code that runs on the user's machine, and identity read from values the user controls. The fix is not better client-side hardening. It is enforcing every security decision server-side, on every request, with ground-truth identity bound to the session at the kernel.

Object-binding integrity is now a first-class security control

Vedant Shrivastava's viral post is not a "user experience" bug. It's a security failure: the system could not guarantee that a record served under his identity actually belonged to him. As more of India's exam, health, tax, and banking flows go digital, the integrity of who-owns-what-record is existential.

Defences must operate where the truth lives — inside the runtime

WAFs, API gateways, and passive traffic-mirroring tools all sit outside the truth. By the time they see a request, the security-relevant context has been laundered into a clean, well-formed HTTP payload. Kernel-native runtime security sees what those tools cannot: the real process, the real session, the real syscall, the real identity claim.

This Was Not a Surprise. The Next One Doesn't Have To Be Either.

The full sequence — a responsible disclosure in February, unpatched vulnerabilities through April, payment chaos and misbound answer sheets in May, viral student outrage, and ministerial intervention bringing in IIT Madras — was avoidable. Every layer of the failure maps to a well-understood OWASP category that India's security community has known about for years.

To anyone in government, BFSI, healthcare, education, or any sector running APIs that handle the trust of millions of citizens: now is the moment to ask whether your defences sit outside your runtime or inside it. The CBSE OSM crisis is showing us, in real time, what happens when they sit outside.

ziriz.ai was built for this exact moment. Kernel-native. Runtime-aware. Identity-anchored to the server, not the browser. We see the API the way the operating system sees it — with full context, in real time — and we act before the damage compounds.

Don't wait for your own CBSE moment.

Get a free ziriz.ai API Risk Assessment — including BOLA/BFLA detection, shadow API discovery, IDOR surface mapping, and OWASP API Top 10 gap analysis. Delivered within 72 hours.

Request Free API Security Assessment

Sources: Vulnerability technical details drawn from the public write-up by Nisarga Adhikary, responsibly disclosed to CERT-In on Feb 25, 2026. Operational fiasco details from contemporaneous reporting by Indian Express, NewsX, and other Indian education-news outlets, May 21–26, 2026.